Wiki source code of Application_Webkit

Last modified by Nicolas Gregoire on 2012/01/14 17:48

Hide last authors
Nicolas Gregoire 17.1 1 {{toc/}}
2
Nicolas Gregoire 18.1 3 = Introduction =
Nicolas Gregoire 17.1 4
Nicolas Gregoire 1.1 5 Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/Webkit||rel="__blank"]] : "//WebKit is a layout engine designed to allow web browsers to render web pages. WebKit powers Google Chrome and Apple Safari that by December 2011 held 33.35% of the browser market share between them (according to StatCounter). It is also used as the basis for the experimental browser included with the Amazon Kindle ebook reader, as well as the default browser in the iOS, Android and webOS mobile operating systems."//
6
Nicolas Gregoire 17.1 7 = Applications =
Nicolas Gregoire 1.1 8
9 Webkit is used as the rendering engine of numerous browsers :
10
11 * Google Chrome : not vulnerable, because of its sandbox
12 * Apple Safari : patch available (v5.1)
13 * Apple iTunes : patch available (v10.5)
14 * Apple iOS : patch available (v5)
15 * Maxthon MX3 : v3.0.22.2000 is vulnerable, recent versions weren't tested
16 * HP webOS : patch available (v3.0.2)
17 * Nokia S60 : untested
18 * Blackberry Torch / Playbook : not vulnerable according to the BBSIRT
19 * Epiphany : v2.30.2 available in Ubuntu 10.04 is vulnerable
20
21 It is also used in others softwares rendering HTML :
22
23 * Liferea (RSS reader) : v1.6.2 available in Ubuntu 10.04 is vulnerable
24 * Amazon Kindle : untested
25 * Valve Steam : untested
26 * and much more ...
27
Nicolas Gregoire 17.1 28 = File creation vulnerability =
Nicolas Gregoire 1.1 29
30 Webkit uses [[libxslt>>Engine_libxslt]] as its XSLT engine. Old versions were not restricting __write__ access by the engine to the file system, leading to a remotely exploitable vulnerability ([[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank"]]). This was patched in [[Changeset 79159>>http://trac.webkit.org/changeset/79159||rel="__blank"]] by adding appropriate calls to xsltSetSecurityPrefs().
Nicolas Gregoire 2.2 31
32
Nicolas Gregoire 10.1 33 PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability :
Nicolas Gregoire 4.1 34
Nicolas Gregoire 10.1 35 [[image:macos-tmp-owned.png||style="display: block; margin-left: auto; margin-right: auto"]]
36
Nicolas Gregoire 11.1 37
38
Nicolas Gregoire 10.1 39 [[image:ipad-tmp-owned.png||style="display: block; margin-left: auto; margin-right: auto"]]
40
Nicolas Gregoire 17.1 41 = Metasploit =
Nicolas Gregoire 4.1 42
43 Two modules are included in Metasploit :
44
45 * a [[auxiliary>>http://www.metasploit.com/modules/auxiliary/server/webkit_xslt_dropper||rel="__blank"]] working on any non-sandboxed non-patched Webkit device
46 * an [[exploit>>http://www.metasploit.com/modules/exploit/windows/browser/safari_xslt_output||rel="__blank"]] plugin targeting Safari users with Admin privileges (because of the MOF trick)
47
Nicolas Gregoire 17.1 48 = HP webOS 3.x =
Nicolas Gregoire 4.1 49
Nicolas Gregoire 8.1 50 An exploit for HP webOS 3.x was developed. This exploit drops a backdoor which is later executed with root privileges at boot time. The exploit is composed of two files :
51
Nicolas Gregoire 12.1 52 * [[webos-root-backdoor.xml>>attach:webos-root-backdoor.xml]] contains the configurable data (name and content of the destination file) and a processing instruction triggering the XSLT code
Nicolas Gregoire 8.1 53 * [[webos-root-backdoor.xsl>>attach:webos-root-backdoor.xsl]] reads the XML file and create the requested file on disk. This version overwrites a script located in /etc/default/ with a version including a reverse-shell based on netcat
Nicolas Gregoire 15.1 54
Nicolas Gregoire 16.1 55 Browsing the XML file from a vulnerable device is enough to trigger the exploit. This was patched during the 3.0.2 OTA update.